Blog Comment Spam Points to Drive-By Site

I just want to take a moment to thank the malware author who posted a spam comment to the Webroot Threat Blog blog the other day. You guys make my job so easy.

The spam comment, which reads Hello. I the beginner. I wish to show to you,scandal story and links to a drive-by download site, is a tremendous help to our researchers, who are always on the lookout for new threats.

Of course, the malware distributor could have employed a more effective hook to convince someone to click a link than the one he used.

The link claims to point to a page hosted on the free Blogspot blog site to a nude video — not of Paris Hilton, Venus Williams, or Erin Andrews — but of…Diane Sawyer, the respected, award-winning anchor of ABC’s World News Tonight.

The Blogspot page has a static image that looks like a streaming video player embedded in the page below a portrait of Sawyer, and the text Watch Diane Sawyer Nude: Click HERE. Click the “video” and you’re instead redirected to a Javascript file on the Web site adultsvid.cn, which redirected my computer to a page on another Web site, metds.org. The Javascript appears to redirect users to different pages — 38 total, all named after slightly younger stars of stage and screen — presumably, depending on the subject of the comment spam.

In this script, Sawyer’s name gave way to those of somewhat younger actresses, including Mila Kunis, Elisha Cuthbert, Kristen Bell, Eliza Dushku, Summer Glau, Zooey Deschanel, Sarah Chalke, and Tina Fey, and 30 others. There’s the old, familiar social engineering we know and love hate.

You eventually land on a page for a Web site that calls itself Close Club Video, featuring another (entirely bogus) image that looks like another streaming video window.

But it didn’t matter which celebrity strikes your fancy: Each of the redirections lead to the same destination, a page which tries to push a fake Flash codec download to visitors from the domain video-codec.co.tv. The download process begins after a slick, also-fake animation of an Adobe Flash Player update alert message slides down the screen.

Click anywhere on the page, and you end up triggering the download of the fake codec:

The fake codec Web page is actually pretty amusing to play with. Most of the content — an animated GIF of an Ajax “loading” spinner, the number of “views” of the video — is static and unchanging.

But if you modify the query string in the URL, you can replace the text “Diane Sawyer sex tape” and get the page to display any text you like.

Unfortunately, the payload of the page is significantly less amusing.

The flash_video.exe payload (in repeat performances, the site delivered a file named flash_video_update.exe) was actually an installer of a file we classify to Trojan-DermoDNS,a modified version of the Trojan-Downloader-Dermo that downloads, in addition to an installer for Adware-Sabotch, a payload which modifies the DNS settings of the infected computer so it resolves IP addresses through a server in Russia instead of your local ISP—potentially giving the operator of that Russian server a way to subtly manipulate what appears in the browser on an infected computer.

Existing bulk-detection signatures are able to squelch the DermoDNS and Sabotch payloads, and all but one of the domains involved in the attack were already blocked in the desktop product’s Communications Shield at the time we discovered the scam. We’ve added the new domain to our latest definitions set.

But the best way to avoid an infection is to be smart about what you download and run. Refrain from running random applications. If you need to update the Adobe Flash player, head to the official Adobe download site to download the latest version, and don’t trust an unknown Web site that claims to deliver Flash to your PC.